Preventing bots from running PHP scripts

Question

We have a directory that is open to the web where we place utility scripts, some of them used for submitting Email, others for calling generic functions on our web service.

In my PHP error log, I am constantly getting notices and warning that the data that is used in the script has an issue, like "undefined index" or "trying to get property of non-object".

Several of these script I know are not being used anymore, yet there are still entries in the log file from someone attempting to run those scripts.

What can I do to prevent this from happening in my legitimate scripts? They need to be avail to the web due to them being called via ajax from multiple pages.

Update ---
I figured out that the reason they were even able to be run by bots was that the directory didn't have protection from directory listings; meaning that the bots had read the listing and ran them from there without really knowing what they did.

I added the option to prevent directory listings to my .htaccess and I am going to monitor things to see if it helps.

On another note to all those suggesting blocking via IP or password protect them... After checking some log files, checking for IP will not work because the scripts are being called both from the server, in PHP scripts, AND via ajax from the client. Also, to protect with password means I'd have to modify every place that calls the scripts to pass that password.

Hopefully my mods will help tremendously but it may not prevent bots that already know the scripts are there.

Answer 1

I added the option to prevent directory listings to my .htaccess.

This brought down the execution fo the scripts by bots down to almost zero. I can live with the number I'm receiving now.

Answer 2

You could/should protecte those scripts with IP restrictions or logins. Both can be done with .htaccess files. This is probably enough for simple utility scripts. You should not use something like this for a complex and secure application though.

Sample .htaccess file:

# BAN USER BY IP
<Limit GET POST>
 order allow,deny
 allow from all
 deny from 1.2.3.4
</Limit>

# login
AuthName "Test"
AuthType Basic
AuthUserFile test/.htpasswd
require valid-user

Sample .htpasswd file

test:Qh8a4zM4Z/i1c

There are even generators for these files. Some sample that Google found: http://www.toshop.com/htaccess-generator.cfm

Answer 3

Don't call PHP script directly, or make scripts that are directly callable. This is the end goal. Probably not something you can implement right now.

If you take an Object Oriented approach all your PHP files will contain just classes. This means that when you run a file nothing happens.

Only 1 file will be an actual script and that is your entry point.

---

You're getting these undefined index messages probably because you're not validating your input (or there is a bug).

It's common to see a script like:

if ($_GET["action"] === "edit") {
    // edit
} else if ($_GET["action"] === "delete") {
    // delete
}

You expect to call the script like: action.php?action=edit but what if you call it like: action.php? You will get undefined index "action"

Add input validation like:

if (isset($_GET["action"]) === false) {
    throw new Exception("Invalid input");
}

---

If a file is no longer used, delete it. If you don't want a file accessible from the web move it out of the webroot.

Answer 4

I run scripts via a cronjob and have them protected by a password I pass through the GET, like this:

$password = $_GET['password'];

if($password == "somethingcool") {

    //the rest of your code here.

}

Then I call my script like this: script.php?password=somethingcool. If the password is incorrect, the script isn't executed.

There's a downside to this though.. if it's called from a public page, make sure you use javascript variables to set the password, or the bot will simple follow the link in the source code.

PS: Make sure you filter $_GET['password'], this current example is not safe to use.